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BSA is the leading advocate for the global software industry, which is at the forefront of the 
development of cutting-edge innovation, including cloud computing, data analytics, and artificial intelligence. 
Software-enabled technologies increasingly rely on data and, in some cases, personal data, to function. As a 
result, the protection of personal data is an important priority for BSA members, and we recognize that it is a 
key part of building customer trust. To that end, BSA promotes a user-centric approach to privacy that provides 
consumers with mechanisms to control their personal data. BSA also supports data protection frameworks that 
ensure the use of personal data is consistent with consumers’ expectations while also enabling companies to 
pursue legitimate business interests. 


As countries around the world consider the development of data protection frameworks, many have sought to 
identify global best practices for approaching these issues. BSA supports the implementation of best practices 
that increase the transparency of personal data collection and use; enable and respect informed choices by 
providing governance over that collection and use; provide consumers with control over their personal data; 
provide robust security; and promote the use of data for legitimate business purposes. We highlight below 
best practices that could help achieve these goals and serve as useful guideposts for the development 
and modification of data protection frameworks around the globe. 


Territorial Data protection frameworks should govern conduct that has a sufficiently close 

Scope connection to the country. The law should apply where: (1) residents are specifically 
targeted; (2) the personal data that is the object of the processing is purposefully 
collected from data subjects in the country at the time of the collection; and (3) 
such collection is performed by an entity established in the country through a stable 
arrangement giving rise to a real and effective level of activity. 


Definition of The scope of information included within the definition of personal data should be 

Personal Data information that relates to an identified or identifiable consumer. An identifiable 
consumer is one who can be identified, directly or indirectly, through reasonable effort, 
by reference to an identifier such as an consumer's name, an identification number, 
location data, an online identifier, or one or more factors specific to the consumer's 
physical, physiological, or genetic identity of that consumer. The scope of information 
covered should pertain to personal data that, if mishandled, would have a meaningful 
impact on a consumer's privacy. 


Data that is de-identified through robust technical and organizational measures to 
reasonably reduce the risk of re-identification should not be covered data under the 
framework. 
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Data protection frameworks should tailor protections to the risk of harm to consumers. 
Cognizable harm should reflect physical injury, adverse health effect, financial loss, 

or disclosure of sensitive personal data that is outside the reasonable expectation of 
consumers and creates a significant likelihood of concrete adverse consequences. 


Data controllers should provide clear and accessible explanations of their practices 
for handling personal data, including the categories of personal data they collect, 
the type of third parties with whom they share data, and the description of processes 
the controller maintains to review, request changes to, request a copy of, or delete 
personal data. 


Personal data should be relevant to the purposes for which it is collected and obtained 
by lawful means. Controllers should inform consumers of the purpose for which they 
are collecting personal data and should use that data in a manner that is consistent 
with that explanation, the context of the transaction, or reasonable expectation of the 
consumer, or in a manner that is otherwise compatible with the original purpose for 
which the data was collected. Controllers should employ governance systems that 
seek to ensure that personal data is used and shared in a manner that is compatible 
with the stated purposes. 


Personal data should be relevant to the purpose for which it is used and, to the extent 
necessary for those purposes, should be accurate, complete, and current. 


Data protection frameworks should recognize and enable the processing of data for 

a range of valid reasons, including legitimate business purposes that are consistent 
with the context of the transaction or expectations of consumers. Other valid purposes 
include processing in connection with the performance of a contract; in the public 
interest or the vital interest of the consumer; necessary for compliance with a legal 
obligation; or based on the consumer's consent. 


Data protection frameworks should not restrict organizations’ legitimate cybersecurity 
efforts; implementation of measures to detect or prevent fraud or identity theft; the 
ability to protect confidential information; or the exercise or defense of legal claims. 


Controllers should enable consumers to make informed choices and, where practical 
and appropriate, the ability to opt out of the processing of their personal data. In 
settings where consent is appropriate, consent should be provided at a time and 

in a manner that is relevant to the context of the transaction or the organization’s 
relationship with the consumer. 


Certain data, such as financial account information or health condition, may be 
particularly sensitive. If the processing of sensitive data implicates heightened privacy 
risks, controllers should enable consumers from whom they collect sensitive data to 
provide affirmative express consent. 
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Consumers should be able to request information about whether organizations have 
personal data relating to them and the nature of such data. They should be able to 
challenge the accuracy of that data and, as appropriate, have the data corrected or 
deleted. Consumers should also be able to obtain a copy of personal data that the 
consumer provided to the organization or was created by the consumer. Organizations 
should have the flexibility to determine the appropriate means and format of 
providing this information to the consumer. 


Controllers, which determine the means and purposes of processing personal data, 
should be primarily responsible for responding to these requests. Controllers may 
deny such requests where the burden or expense of doing so would be unreasonable 
or disproportionate to the risks to the consumer's privacy; to comply with legal 
requirements; to ensure network security; to otherwise protect confidential commercial 
information; for research purposes; or to avoid violating the privacy, free speech, or 
other rights of other consumers. 


Controllers should also implement secure verification procedures to authenticate the 
consumer making the request to address the risk of harm of improper disclosure of 
information. 


Controllers and processors should employ reasonable and appropriate security 
measures — relative to the volume and sensitivity of the data, size and complexity of 
the business, and cost of available tools — that are designed to prevent unauthorized 
access, destruction, use, modification, and disclosure of personal data. 


Data controllers should notify consumers as soon as practicable after discovering 

a personal data breach involving the unauthorized acquisition of unencrypted or 
unredacted personal data that creates a material risk of identity theft or financial 
fraud. Such breaches may be reported to supervisory authorities on a regular basis 
along with the security measures taken by the organization as part of accountability 
requirements. 


Controllers should develop policies and procedures that provide the safeguards 
outlined here, including designating persons to coordinate programs implementing 
these safeguards and providing employee training and management; regularly 
monitoring and assessing the implementation of those programs; and, where 
necessary, adjusting practices to address issues as they arise. 


As part of these measures, controllers may conduct periodic risk assessments when 
processing sensitive data and, where they identify a significant risk of harm, document 
the implementation of appropriate safeguards. Governments should not impose 
requirements to report risk assessments to or seek prior consultation with regulatory 
authorities, as they create unnecessary administrative burdens and delay the delivery 
of valuable services without a corresponding benefit to privacy protection. 








Cross-Border 
Data Transfers 


Obligations of 
Controllers and 
Processors/ 
Allocation of 
Liability 


Remedies and 
Penalties 


Data protection frameworks should enable and encourage global data flows, 

which underpin the global economy. Organizations that transfer data globally 

should implement procedures to ensure the data transferred outside of the country 
continues to be protected. Where differences exist among data protection regimes, 
governments should create tools to bridge those gaps in ways that both protect 
privacy and facilitate global data transfers. Data protection frameworks should prohibit 
data localization requirements for both the public and private sectors, which can 
frustrate efforts to implement security measures, impede business innovation, and limit 
services available to consumers. 


Data controllers, which determine the means and purposes of processing personal 
data, should have primary responsibility for satisfying legal privacy and security 
obligations. Data processors, which process data on behalf of controllers, should be 
responsible for following the controller's instructions pursuant to their contractual 
agreements. Controllers and processors should have the flexibility to negotiate their 
own contractual terms, without mandatory, prescriptive language provided by the law. 


A central regulator should have the tools and resources necessary to ensure effective 
enforcement. Remedies and penalties should be proportionate to the harm resulting 
from violations of data protection laws. Civil penalties should not be set arbitrarily 

or based on factors that lack a substantial connection to the context in which the 
underlying harm arose. Criminal penalties are not proportionate remedies for violation 
of data protection laws. 





